User Personalization with PHP: The Final Scripts / Page 2

User Personalization with PHP:
The Final Scripts[con't]

The User Profile

The profile script is responsible for allowing a user to change some of their personal settings, more specifically their:

Email address

Background Color

Picture

The other information such as the password can be changed on the authentication pages. The user access level can only be changed by someone with administration privileges; this will be discussed later on in the administration article that is to follow. Below is a screenshot of the profile page:

The script consists of both HTML and PHP sections, each playing their own important roles. The basic purpose of the script is to display the user's current settings and then to update the user information as is required by the user. Below is the processing code of the script:

Since the purpose of the script is to first, retrieve and second, to display the information of the currently logged-in user, the code starts by connecting to the database server and then running a query to retrieve all information relating to the current user:

$q = "SELECT * FROM users WHERE uid = '".$_SESSION['id']."'";

Note, that we use a session variable that contains a user ID created at the authentication stage, to make sure that we only retrieve information stored about the current user. Then we execute the query and make provision for any errors that may occur. If no errors are detected during query execution, we simply retrieve the information of the user and store it in an array called $row:

Next up we check to see if the form has been submitted. This refers to the form that displays and collects the user's information. Then we validate the form information. Now, this form has only one field, the field that takes the email address, which we have to validate. The reason why we don't validate the other fields is because they do not contain any user input but rather user choice in the sense that the application provides the choices that the user must make. There is one dropdown box where the user must make a selection from the available options rather than inserting information and then there is another text field that allows the user to select an image to upload. Both of these options are very safe since the information originates from within the application and not from outside of the application so validation of the data is not necessary. To validate the email address we use the checkemail() function:

The checkemail() function has the following code:

For a fuller explanation of the function, please see one of the earlier articles in the series. Once the email address is validated, we move on to check if the user has uploaded a new picture. To determine if the user has uploaded a picture we check if the $_FILES[''] array contains any information:

if(isset($_FILES['fn'])){

The idea here is to store a link to the image in the database rather than storing the image to the database. So we need the name of the file, which we get like this:

$fn = $_FILES['fn']['name'];

The $_FILES[''] array contains all of the information about an uploaded file, including its name, which we store in the $fn variable. With the file name now safely stored, we have to upload the file. We do this by using the move_uploaded_file() function like so:

The above code line tries to move the file to the images directory folder, but also makes provision for errors that may occur such as the image directory folder not existing on the server. To see which error occurred we use a switch condition:

If any errors are encountered while uploading the file, it will be stored in the $msg variable and shown in the form. The next piece of code simply checks if the image file name is set and then creates a new variable that will eventually be used during the update process:

We then store the background color selection that the user selected in a variable called $bgc:

$bgc = $_POST['select'];

Now all that remains is for us to update the user information. Before updating the users' information, we clean the variables that we are going to use in the query. To do this we use the mysql_real_escape_string() function:

Then we make provision for any errors that may occur during the update process:

Delete Bookmarks Script

The delete bookmarks script is activated when the user clicks on the delete option in the main page.
It has the following code:

The code starts off by connecting to the database and opening a session and then continues to check if an ID has been received and validates it:

if(isset($_GET['bmID'])){
if(is_numeric($_GET['bmID'])){

To make sure that the ID that we received is valid, we check if it is numeric. This is a relatively simple way of avoiding an attack. Any user can enter a letter in the browser, which would crash our application and provide the attacker with information about our application. We run the script only if the ID is of the right type. If the ID is valid, we clean it for use with MYSQL, using the
mysql_real_escape_string() function:

$id=mysql_real_escape_string($_GET['bmID']);

Then we delete the bookmark from the database. An additional check that you can make is to run a query with the given ID and see if it exists before running the delete query:

Conclusion

While testing the application I've noticed that the database field called desc in the bookmarks table causes an error when data is inserted or updated, so I've changed the field name from desc to descr. Please do accordingly if you are going to use the database schema as per the series. This change and any others are reflected in the accompanying source code.

The final article in the series will deal with administering the application. The administration of the application can basically be described as house keeping and involves maintaining both components of the application.